Public Key Authentication

TL;DR

This guide shows how to set up authentication using only publicly available information – specifically SSH public keys. This is more secure than passwords and doesn’t require a central server for verification.

Setting Up Public Key Authentication

1. Generate an SSH Key Pair: On your local machine (the one you’ll be connecting *from*), open a terminal or command prompt. Use the following command to create a new key pair:

   ssh-keygen -t rsa -b 4096

   You’ll be prompted for a file name (usually just press Enter to accept the default: `~/.ssh/id_rsa`) and a passphrase. A passphrase adds extra security; it’s highly recommended, but optional.

2. Copy Your Public Key: After generating the key pair, you need to copy your *public* key to the server (the one you’ll be connecting *to*). There are several ways to do this:
   • Using ssh-copy-id (easiest): If available on your system, use this command. Replace username and server_address with the correct values.

     ssh-copy-id username@server_address

     You’ll be prompted for the server password once to copy the key.

   • Manually (if ssh-copy-id isn’t available):
     • Display your public key:

       cat ~/.ssh/id_rsa.pub

     • Copy the entire output of this command.
     • Log in to the server using password authentication (you’ll need the server password for this step).
     • Edit the ~/.ssh/authorized_keys file on the *server*. If the file doesn’t exist, create it:

       nano ~/.ssh/authorized_keys

     • Paste your public key into this file. Each key should be on a new line.
     • Save and close the authorized_keys file.
3. Test Your Connection: Try connecting to the server using SSH:

   ssh username@server_address

   If you set a passphrase, you’ll be prompted for it. If everything is configured correctly, you should log in without being asked for the server password.

4. Disable Password Authentication (Optional but Recommended): For increased security, disable password authentication on the server. This forces users to use SSH keys.
   • Edit the /etc/ssh/sshd_config file on the *server*:

     sudo nano /etc/ssh/sshd_config

   • Find these lines and change their values as follows:
     • PasswordAuthentication no
     • ChallengeResponseAuthentication no (if present)
   • Save and close the sshd_config file.
   • Restart the SSH service:

     sudo systemctl restart sshd

Important Considerations

• Key Security: Keep your private key (~/.ssh/id_rsa) secure. Never share it with anyone!
• Passphrase Protection: Always use a strong passphrase to protect your private key.
• Permissions: Ensure the ~/.ssh directory and authorized_keys file on the server have correct permissions:
  • chmod 700 ~/.ssh
  • chmod 600 ~/.ssh/authorized_keys
• cyber security: Public key authentication significantly improves cyber security compared to password-based logins.